White paper

Integrating Operational
Functions in Cyber Ops
Executing Commander’s Intent at Machine Speed:
The integrated cyber platform: Operates, Secures and Defends
in Cyberspace

The operationalization of data has changed the nature of operations across the globe and
across all industries. It has also changed the demands and capabilities on the medium
of maneuver for this data – the network. With the need for more operationalized data in
today’s environment, the network is the platform for cyberspace.
The Department of Defense has long recognized the decision advantage that data provides
to military operations. Information has recently been recognized as one of the Joint
Military Functions defined in Joint Publication 3.0. The Information function helps
commanders and staffs understand and leverage the pervasive nature of information, its
military uses, and its application during all military operations. The establishment of U.S.
Cyber Command emphasizes the significance of and the need to protect and control
DoD networks as the medium of maneuver for data. An integrated cyber platform remains
essential for operational success – both in the cyber domain and in support of all other
physical operational domains (land, sea, air and space).
Now, more than ever, the demands on military networks in cyberspace require the
Department of Defense to operate the network as it would any platform (ship, tank, aircraft)
in the physical space, not only to command and control operations in cyberspace; but also,
to ensure the network supports outcomes and decision advantage in the physical space.
In order to operate, secure, and defend their networks, the Department of Defense requires
an integrated cyberspace platform that operates at machine speed and, thus, can enable
24/7 information effects across multiple domains. An integrated cyberspace platform
automatically interprets, implements, and enforces Commander’s Intent and, as a single
cyber platform, allows for the integrated execution of the military operational functions of:
Information, Command and Control, Intelligence, Maneuver, Protection, and Sustainment.
With these integrated capabilities, the network functions as a single platform capable of
autonomously acting as the “On-Scene Commander” to automatically detect and react
to threats; provide unprecedented situational awareness; enforce policy and procedure;
execute advanced schemes of maneuver; and provide decision advantage to the
Department through the secure-seamless maneuver of data.

© 2019 Cisco and/or its affiliates. All rights reserved.

White paper

Fundamentals
Joint Publication 3.0 has recently added “Information” as one of the seven (7) Joint operational functions –
Command and Control, Information, Intelligence, Maneuver, Protection, Sustainment, and Fires. In order to operate,
secure, and defend DoD Networks and produce operational outcomes in cyberspace, an integrated cyber platform
allows for the seamless and automated integration these operational functions—leveraging the network components
which comprise the foundation of the platform’s infrastructure. This paper will examine how the operational functions
of Command and Control, Intelligence, Maneuver, Protection, and Sustainment integrate across a cyber platform to
support the Information function. Operationally implemented, this integrated cyber platform serves as the medium of
maneuver for data.

Operational Functions
Cyber Operational Function
Joint Function
• Ensures the availability of timely, accurate, and relevant information
necessary for decision making.

Information • Improves the speed and accuracy of information flow and supports
mission execution.
“encompasses the
management and • Facilities operational environment understanding through information
application of information sharing and collaboration capabilities to support the command and
and it’s deliberate control and intelligence joint functions.
integration with other
• Receives, organizes, stores, controls, makes available, protects and
joint functions...to support
secures data.
human and automated
decision making.” • Innate security that incorporates defense, detection, response, and
restoration capabilities to self-protect, shield and preserve data.

Cyber Operational Function

Joint Function
• Exercising centralized management - informed by threats and extreme
visibility of all network flows and devices

Command & Control • Handling network authentication, granular access control, and rapid
device discovery
“the exercise of authority
and direction by a properly • Executing protective segmentation orders when necessary
designated commander
• Provisioning of all devices at scale per Command’s Intent
over assigned and
attached forces in the • Conducting continuous monitoring and enforcing policy
accomplishment of the
mission.” • Making adjustments for optimal performance across network, devices,
and applications

(1) Command and Control is defined as “the exercise of authority and direction by a properly designated commander
over assigned and attached forces in the accomplishment of the mission.” Hence, the function consists of two parts:
(1) the inherent authority vested in the entity to (2) issue controlling actions that support mission accomplishment.

© 2019 Cisco and/or its affiliates. All rights reserved.

White paper

Effective Command and Control is the result of multiple successful exchanges of information that occur across and
through people, processes and technology. Ultimately, complex and timely information must be conveyed to the right
decision-maker(s) in command authority and the appropriate controlling orders must be conveyed back for action and
execution.

Observing all the data and information flowing from the multitude of devices that comprise the cyber platform is
essential; but, the near-simultaneous rapid orientation to the significance of the associated data and information for
the decision entity remains critical to realize the cyber platform’s command and control function.

Exercising command and control over all the devices and appliances across the enterprise network, and across
all cloud services, requires that these capabilities operate at machine speed not only to command and control
the integrated cyber platform, but also augment and assist the cyber intelligence, maneuver, protection, and
sustainment functions—providing multiple, seamless, successful exchanges of information for decision and action at
machine speed.

Cyber Operational Function

Joint Function
Intelligence
“the product resulting from
the collection, processing,
integration, evaluation,
analysis, and interpretation
of available information
concerning...hostile or
potentially hostile forces or
elements.”
• Dedicated world-wide intelligence, surveillance, and reconnaissance with
integrated detection and prevention techniques to discover, assess, and
respond to the latest trends in hacking activities, intrusion attempts, malware,
and vulnerabilities
• Automatic detection of anomalous behaviors and detection of anomalous
actions by potential insider threat
• Protection from malicious code using big data analytics, point-in-time
detection, and retrospective security (continuous analysis) capabilities
• Detection of malware in encrypted traffic by passive monitoring relevant data
elements and supervised machine learning

(2) Intelligence is “the product resulting from the collection, processing, integration, evaluation, analysis, and
interpretation of available information concerning...hostile or potentially hostile forces or elements.” Threat intelligence
combined with situational awareness of one’s own forces (or, network devices) provides to the entity vested with
command and control authority: (1) the critical pieces of observable information and (2) orients the central authority to
the threat with context and relevance to the force.

In order to operate the network as a cyber platform, threat intelligence must be ingested and evaluated rapidly to
allow for fast orientation of the threat in context to the entire cyber platform. Decisions and network actions can then
be executed rapidly across the entire platform. The platform’s data flows of the many devices, routers, switches,
firewalls, sensors and appliances that constitute a modern network provide the greatest situational awareness of all
– the integrated cyber platform is the best sensor when all of these network flows and device telemetry can be
integrated and analyzed automatically – and understood in context to any threats.

It is essential that the integrated cyber platform’s command and control capabilities integrate directly with the cyber
platform’s intelligence capabilities. Together, these capabilities, which should leverage integrated network flows
and telemetry, can provide unmatched visibility and situational awareness. The platform’s tight integration of these
functions accelerates John Boyd’s famous Observe – Orient – Decide – Act Loop to machine speed.

The core component of any operation in any domain is solid, actionable intelligence. The technical means of
gathering intelligence in the cyber domain includes analyzing numerous public and private intelligence feeds every
day, looking for new threats and acting on information in real time to develop new detection indicators and content.
Delivering actionable intelligence requires the obtaining of malicious software samples by compiling data acquired
from platform telemetry along with global honeypots, sandboxes, and industry partnerships in the malware community.

© 2019 Cisco and/or its affiliates. All rights reserved.

White paper

Thus, the cyber platform’s intelligence capabilities must automatically identify the wide range of threats, including:
malware (even in encrypted traffic), zero-day attacks, distributed denial-of-service (DDoS) attempts, advanced
persistent threats (APTs) and insider threats. The integrated cyber platform automatically interprets the recognized
threat in context across all of the key terrain of the cyber platform instantly – from cloud services, network devices,
endpoints, e mail services, and, web services. The integrated intelligence capabilities enable the cyber platform’s
command and control function to act as the first operational “On-Scene Commander” in the presence of a threat to
the platform.

Cyber Operational Function

Joint Function
• Adaptively implement advance micro-segmentation to enforce policy

• Execute Cyber Platform orders across the network by unique identities,

Maneuver: roles, applications, and/or ports - not IP addresses alone
“The action or movement • Segregate endpoints into an isolation enclave to ensure protection and
of forces to a position of risk mitigation
relative advantage over the
threat.” • Execute actions at high-velocity to support platform agility and
resiliency

(3) Maneuver is the action or movement of forces to a position of relative advantage over the threat. Just as modern
warfare recognized that static defenses can be easily overwhelmed whereas maneuver forces can rapidly and
dynamically achieve relative advantage, modern cyber defenses require network agility, resiliency and automated
segmentation – all in a dynamic way to respond to everything from the most seemingly-benign un-patched endpoint
to the numerous, or even, massed cyber threats.

One of the complexities of the human-made cyber domain remains that it continues to grow dynamically in size and
shape. The operationalization of data to enhance operational outcomes has resulted in an unending explosion of more
devices, including additional sensors being added to the cyber platform and with more data to maneuver across
the platform. The maneuver function in cyberspace directly supports the protection function through an adaptive
security architecture that implements advanced network segmentation and network access capabilities in order to
prevent, detect, respond, and also predict intrusions or malicious activity through continuous visibility and validation.

The integrated platform’s command and control and intelligence functions not only enable the network to act as the
best sensor; but also enables the platform to execute and enforce the Commander’s Intent. The integrated platform
automatically provides continuous detection, response and predictive capabilities to issue maneuver orders to
segment, block and control access across the cyber platform to ensure cyber platform protection.

As in the physical world, just like Commander’s Intent is applied through

controlling actions and maneuver orders to units of action, according to the
units’ specific identities and defined capabilities – so, too, must the network
be able to apply policy, or Commander’s Intent, at machine speed to users
and devices – based on their individual capabilities and assigned missions
– with full knowledge of how they are connected to the network, and their
allowed functions on the network. And, this must be done at speed and scale
since the number of users and devices at the edge is exploding every day.
Advanced identity management enables the integrated cyber platform by
using information that is available from the platform telemetry and data flows.
Using this information, the cyber platform can establish a logical identity of
endpoints connected to the network and couple that Commander’s Intent-
based policy to execute advanced maneuver and supporting protection
actions – providing agility and resilient response, at machine speed.

© 2019 Cisco and/or its affiliates. All rights reserved.

White paper

Cyber Operational Function

• Integrated network access and policy control solution with device

Joint Function granularity

• Unified management over firewalls, application control, intrusion

prevention, URL filtering, and advance malware protection
Protection:
• Inspection of network traffic to understand network behavior; detection
“the preservation of of traffic anomalies; identify and block breaches
the effectiveness of the
network, network access, • Protection from malicious code using big data analytics, point-in-time
and the assured access, detection, and retrospective security (continuous analysis) capabilities
availability and integrity of
• Analyze device behavior and web traffic to pinpoint command-and-
the data on the network”
control communications and data ex-filtration

• Extends and integrates portion across the local Platform with Cloud as
one Platform

(4) Protection is fundamental to network security and seeks the preservation of the effectiveness of the network,
network access, and the assured access, availability and integrity of the data on the network. Like the physical world,
the protection and defensive capabilities are layered across the entire fabric of the cyber platform, to include the
Cloud. Intelligence, maneuver and command and control functions work together to support and enable cyber
platform protection.

As discussed above describing cyber platform maneuver, micro-segmentation delivers secure network access
using a comprehensive, integrated network access and policy control solution with granularity that enables access
authorization with advanced identity management – down to individual devices, individual users, individual ports and
individual applications – as well as specified combinations of all of these.

The integrated cyber platform must provide essential defense-in-depth capabilities that inspects network traffic to
understand network behavior, detects traffic anomalies, identifies and blocks breaches. Malware protection must be
deployed in-depth across networks, endpoints, e-mail, and web-proxies, as well as directly integrate into firewalls,
routers, and extend across all cloud services. Protection solutions must combine the power of big data analytics,
point-in-time detection, and retrospective security (continuous analysis) capabilities. Suspicious files must be
dynamically sandboxed to quickly examine/identify threats and provide immediate feedback across the entire cyber
platform.

Coupled tightly with the intelligence function, the cyber platform must provide its “own-force monitoring” capability
coupled with advanced security analytics. By collecting and analyzing massive amounts of net-flow data the platform
can provide visibility and actionable information to security and response teams. Not only is it essential to monitor
traffic going in and out of the network (north-south), but it is also essential to monitor lateral (east-west) traffic to
detect attacks spreading inside the network and identify insider threats. Sophisticated behavioral analytics combined
with automated baselining of normal activity enables the platform to rapidly identify anomalous traffic and augments
manual analysis associated with incident investigation to reduce troubleshooting efforts from days or even months to
just minutes.

Solutions for cloud security must be wholly integrated for the cyber platform’s protection capability to operate at
machine-speed. The extension of the cyber platform to include multiple cloud-enabled architectures (“Multi-Cloud”)
is creating the opportunity for new operational outcomes to be made possible. The “Cloud” (or “Multi-Cloud”) is
an integral part of the cyber platform and must benefit from the same protection, command and control, and
intelligence-based visibility functions and associated capabilities as before. The integrated cyber platform must be

© 2019 Cisco and/or its affiliates. All rights reserved.

White paper

capable of protecting users, data, and applications across cloud-computing architectures, such as Software-as-a-
Service (SaaS), Infrastructure-as-a-Service (Iaas), platform-as-a-Service (PaaS), and Identity-as-a-Service (IDaaS).
An integrated cyber platform monitors usage in real time and extends essential controls into cloud applications.
This includes providing a DNS layer of protection in the network security stack to protect users anywhere they go.
Extensive real-time threat intelligence must work in conjunction with DNS to keep users from connecting to malicious
sites. Since DNS precedes all Internet activity, it is a powerful way to enforce security and gain insight across the
cyber platform.

Cyber Operational Function

Joint Function
• Integrated, end-to-end cybersecurity technology architecture
that improves incident prevention and detection, automates and
orchestrates response, and streamlines and simplifies security
Sustainment
operations.
“Provisioning of logistics
• Tracks and controls all users and devices connected to the Platform,
and personnel services
including Bring-Your-Own-Device and Guest access.
required to maintain
and prolong operations • Implements software-defined network segmentation and enforces
until successful mission policy at the routing and switching layer.
accomplishment.”
• Tightly integrates with a wide range of technology solutions.

(5) Sustainment is described as the provisioning of logistics and personnel services required to maintain and prolong
operations until successful mission accomplishment. In the cyberspace domain, sustaining the delivery of data to
the right decision-maker or into the hands of the correct consumer to provide decision advantage remains the main
purpose and function of the cyber platform and its operators – 24 hours a day / 365 day a year. The sustainment and
underlying management of the cyber platform must leverage automation, ensure security and be able to maneuver
rapidly to meet the demands of fast-paced, data-intensive operations – and adapt to new demands. As discussed,
the cyber platform must be able to integrate intelligence, command & control, maneuver, and protection
operational functions while understanding and autonomously acting on Command’s Intent as the first On-Scene
Commander – and hand off only the most complex actions to its operators to resolve. Sustaining operations on the
cyber platform requires simplified interfaces to maintain situation awareness and execute complex cyber platform
operations on a single pane of glass – quickly, efficiently, and with economy of force.

Advanced software defined networking (SDN) simplifies network management to move more quickly, lower costs
through automation, boost network performance through assurance and analytics, and continuously ensure
comprehensive security. With advanced software defined networking, the cyber platform can:

• Move faster: Provision thousands of devices across the network. Act fast with centralized management and
automated device deployment.

• Reduce risk: Predict problems easily. Use actionable insights for optimal performance of the network, devices, and
applications.

• Cut costs: Reduce errors with automation. Policy-driven deployment and onboarding deliver better uptime and
improved security.

Complicating the sustainment function in cyber operations, the rise of cloud-based applications, hybrid-cloud
networks, and IoT is impacting existing network operations. The need to maximize bandwidth utilization, optimize
cloud connectivity and globally improve security posture is challenging with traditional wide area network (WAN)
architectures. Furthermore, the disparate nature of traditional WAN infrastructures, makes it difficult to gain
comprehensive visibility of applications and infrastructure, which hinders failure resolution and effective forecasting of
resources.
© 2019 Cisco and/or its affiliates. All rights reserved.
White paper

Advanced SDN provides the cyber platform with advanced routing, segmentation, and security capabilities for
interconnecting the most complex enterprise networks – enabling sustained cyber platform maneuver at the largest
scale. SDN technology allows organizations to automatically build and re-architect secure, policy-controlled and cost-
effective WANs rapidly — agility is a must-have characteristic of the modern cyber platform! SDN delivers decreased
operating complexity as an integrated solution; reduces capital expenses and operating costs; increases cyber
personnel productivity; and reduces the threat of security breaches to the cyber platform and its data and applications
through automation and advanced micro-segmentation.

The integrated cyber platform ensures sustainable operations with agility and flexibility to connect users and
devices to the right data and applications through a cloud-enabled edge. No matter where the associated data and/
or applications reside, the platform maneuvers data all the way to the edge seamlessly and securely – regardless
of the data or application’s location – be it locally at the edge, or connecting local and remote data centers, or in
multiple data centers, and/or across all private clouds, and/or public clouds. While enabling the Joint information
function through the sustained and rapid maneuver of data, the integrated cyber platform simultaneously ensures
self-protection through a Commander’s Intent-driven software defined secure perimeter that provides end-to-
end automated security and resiliency. This capability establishes multilayer protection to ensure survivability,
sustainability and mission accomplishment.

Summary
DoD requires an integrated cyber platform that automatically interprets, implements, and enforces Commander’s
Intent. The critical contributor to accomplish the Joint information function, the integrated cyber platform executes
the military operational functions of: command and control, intelligence, maneuver, protection, and sustainment—
simply, effectively, with agility, and at machine speed. The cyber platform’s uniquely integrated capabilities—across
individual devices, the network topology, and in the cloud—enables the platform to be capable of autonomously acting
as the “On-Scene Commander” to: automatically detect and react to threats; provide unprecedented situational
awareness; enforce policy and procedure; execute advanced schemes of maneuver.

Ultimately, this cyber platform, operationally implemented as the medium of maneuver for data, enables the Joint
information function by providing decision advantage and enabling information effects across multiple domains for
the Department of Defense. Such a cyber platform exists today (see below) and stands ready to securely maneuver
data—from edge
to enterprise—
at machine
speed. A highly
maneuverable
cyber platform
designed to serve
and strengthen
operations as a
multi-cloud-ready,
Commander’s
Intent-driven
application-centric
infrastructure, with
pervasive visibility
and security built
throughout.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list
of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1110R)